Top 10 Malware of May 2017
The Top 10 Malware made up approximately 53% of new malware infections reported by the MS-ISAC in May, a decrease of three percentage points from April, although there was a 38% increase in the number of Top 10 Malware notifications sent in May 2017 compared to April 2017. Every month the MS-ISAC maps the Top 10 Malware to infection vectors. This is done by using open source observations and reports on each malware type. The MS-ISAC observed a continued increase in spam in May, due to a rise in Kovter and Cerber notifications, while malvertising remained steady and dropped malware declined.
The MS-ISAC Top 10 Malware refers to the top 10 new actionable event notifications of non-generic malware signatures sent out by the MS-ISAC Security Operations Center (SOC). Dropped – Malware dropped by other malware already on the system or by an exploit kit. Malvertising – Malware introduced through a malicious advertisement. Spam – Unsolicited emails, which either direct users to download malware from malicious websites or trick the user into opening malware through an attachment. Multiple – Refers to malware that currently favors at least two vectors.[/caption]
- Kovter is a Trojan, which has been observed acting as click fraud malware or a ransomware downloader. It is disseminated via both malvertising attacks and spam email attachments containing malicious office macros. Kovter is fileless malware that evades detection by hiding in registry keys. Some reports indicate that Kovter infections have received updated instructions from command and control infrastructure to serve as a remote access backdoor.
- Cerber is an evasive ransomware that is capable of encrypting files in offline mode and is known for fully renaming files and appending them with a random extension. There are currently 6 versions of Cerber currently being disseminated via spam campaigns and it Trend Micro reports that it is evolving specifically to evade detection by machine learning algorithms. Currently, v1 is the only version of Cerber for which a decryptor tool is available.
- ZeuS/Zbot is a modular banking Trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS/Zbot source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS/Zbot may actually be other malware using parts of the ZeuS/Zbot code.
- DNSChanger is malware that was very prolific in the late 2000s and early 2010s, before being dismantled by an FBI takedown. A new variant was identified in December 2017, which reportedly acts as an exploit kit targeting routers. Once infected, the routers’ DNS records are modified to point to a malicious server. DNSChanger is disseminated via malvertising and uses steganography to obfuscate its initial actions.
- Ponmocup is a downloader associated with one of the largest and longest running botnets, active since 2006. Ponmocup is usually disseminated through an infected web page as a malvertisement.
- Dridex is a malware banking variant that uses malicious macros with either malicious embedded links or attachments. Dridex is disseminated via spam campaigns.
- Emotet is a malware banking variant that uses malicious macros with either malicious embedded links or attachments. Emotet is in the same family of malware as Dridex and was regionally isolated in Europe around Germany. In early-April 2017, a campaign targeted the United Kingdom (UK) before surfacing in the United States in mid-April 2017. Emotet is disseminated via spam campaigns.
- Hancitor is downloader malware disseminated via phishing emails containing a malicious macro attachment and is known to obfuscate itself using PowerShell commands.
- Tinba, also known as Tiny Banker, is a banking Trojan, known for its small file size. Tinba uses web injection to collect victim information from login pages and web forms, and is primarily disseminated via exploit kits.
- Virut is a polymorphic virus that mostly infects executable files and has worm-like behavior. Virut spreads by copying itself to hard drives and opening up a back door on the compromised device. It is disseminated via malvertising.